JWT and JWK x5u and x5c verification

[behrangsa]

When receiving a signed JWT token with a header such as:

{
    "x5t" : "thumbprint",
    "x5u ": "https://certificates.example.com/123456789.cer"
}

Where is the appropriate place for verifying the identity of https://certificates.example.com/123456789.cer, before resolving it and letting JJWT use it to verify the signature of the token? Should this also be done in the SigningKeyResolver? And if the verification fails, does it matter what exception is thrown or is it required to throw an io.jsonwebtoken.security.SecurityException?

[ChristopherSchultz]

Honestly, I think it makes more sense to support something like signWith(Certificate) for token-generation and setSigningKey(Certificate) for token-validation for starters. Then a future improvement could be useSigningKeyFromToken(true) or something to allow the library to go fetch the certificate and verify using it.

[ChristopherSchultz]

signWith(Certificate) for token-generation

🤦‍♂️

Of course, you can't sign with a Certificate, since the Certificate class doesn't expose the private key.

But maybe something like signWith(Certificate, PrivateKey) where the signWith method checks to see that (a) the private key belongs with the Certificate and (b) the certificate is valid, hasn't expired, etc.

[netmackan]

The way I have been considering is to use the SigningKeyResolver as you suggest.
Something like this:

JwtParser jwtParser = Jwts.parserBuilder().setSigningKeyResolver(new SigningKeyResolverAdapter() {

    @Override
    public Key resolveSigningKey(JwsHeader header, Claims claims) {
            String certUrl = header.get("x5u");
            // Fetch and parse certificate
            ...
            // Verify certificate chain, and if not valid and trusted and not revoked etc throw exception (which?)
            ...
            // If all ok:
            return cert.getPublicKey();
    }

}).build();

Jws<Claims> jws = jwtParser.parseClaimsJws(signedRequest);

But question remains what exception to use and if there is any downside of doing it like this or any alternative. I probably just go with JwtException for now.

[lhazlewood]

@netmackan your last example is exactly how you should handle x5u-to-publicKey lookup - nicely done. FWIW, SigningKeyResolver has been deprecated in favor of new Locator<Header> and JwtParserBuilder.keyLocator concepts that will be shortly released in 0.12.0. I'm closing this issue due to those options.

Thank you for your example!

[lhazlewood]

This and #741 are likely duplicates, but maybe not (this issue is for JWT verification key resolution, #741 is for JWK certificate verification)